Resiliency of open-source firewalls against remote discovery of last-matching rules

Khaled Salah; Karim Sattar; Zubair Baig; Mohammed Sqalli; Prasad Calyam

doi:10.1145/1626195.1626242

Resiliency of open-source firewalls against remote discovery of last-matching rules

Khaled Salah^*, Karim Sattar, Zubair Baig, Mohammed Sqalli, Prasad Calyam

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

3 Scopus citations

Abstract

In today's networks, firewalls act as the first line of defense against unwanted and malicious traffics. Firewalls themselves can become targets of DoS attacks, thus jeopardizing their primary operation to filter traffic. Typically, packets are checked against a firewall policy consisting (in many cases) of thousands of rules. Last-matching rules are located at the bottom of the ruleset and consume the most CPU processing power of firewalls. If these rules get discovered by an attacker, the attacker can effectively launch a low-rate DoS attack that can bring the firewall to its knees. In prior work [1], we proposed and evaluated a technique to remotely discover the last matching rules of the Linux Netfilter firewall. In this paper, we examine the effectiveness of such technique on the discovery of last-matching rules in two other popular open-source network firewalls, namely Linux IPSets and FreeBSD ipfw.

Original language	English
Title of host publication	SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks
Pages	186-192
Number of pages	7
DOIs	https://doi.org/10.1145/1626195.1626242
State	Published - 2009

Publication series

Name	SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks

Keywords

DoS attacks
Firewalls
Nework security

ASJC Scopus subject areas

Artificial Intelligence
Computational Theory and Mathematics
Computer Networks and Communications
Software

Access to Document

10.1145/1626195.1626242

Cite this

Salah, K., Sattar, K., Baig, Z., Sqalli, M., & Calyam, P. (2009). Resiliency of open-source firewalls against remote discovery of last-matching rules. In SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks (pp. 186-192). Article 1626242 (SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks). https://doi.org/10.1145/1626195.1626242

@inproceedings{169d2b9f7e1e417991e7a47b266cdff6,

title = "Resiliency of open-source firewalls against remote discovery of last-matching rules",

abstract = "In today's networks, firewalls act as the first line of defense against unwanted and malicious traffics. Firewalls themselves can become targets of DoS attacks, thus jeopardizing their primary operation to filter traffic. Typically, packets are checked against a firewall policy consisting (in many cases) of thousands of rules. Last-matching rules are located at the bottom of the ruleset and consume the most CPU processing power of firewalls. If these rules get discovered by an attacker, the attacker can effectively launch a low-rate DoS attack that can bring the firewall to its knees. In prior work [1], we proposed and evaluated a technique to remotely discover the last matching rules of the Linux Netfilter firewall. In this paper, we examine the effectiveness of such technique on the discovery of last-matching rules in two other popular open-source network firewalls, namely Linux IPSets and FreeBSD ipfw.",

keywords = "DoS attacks, Firewalls, Nework security",

author = "Khaled Salah and Karim Sattar and Zubair Baig and Mohammed Sqalli and Prasad Calyam",

year = "2009",

doi = "10.1145/1626195.1626242",

language = "English",

isbn = "9781605584126",

series = "SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks",

pages = "186--192",

booktitle = "SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks",

}

Salah, K, Sattar, K, Baig, Z, Sqalli, M & Calyam, P 2009, Resiliency of open-source firewalls against remote discovery of last-matching rules. in SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks., 1626242, SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks, pp. 186-192. https://doi.org/10.1145/1626195.1626242

Resiliency of open-source firewalls against remote discovery of last-matching rules. / Salah, Khaled; Sattar, Karim; Baig, Zubair et al.
SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks. 2009. p. 186-192 1626242 (SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Resiliency of open-source firewalls against remote discovery of last-matching rules

AU - Salah, Khaled

AU - Sattar, Karim

AU - Baig, Zubair

AU - Sqalli, Mohammed

AU - Calyam, Prasad

PY - 2009

Y1 - 2009

N2 - In today's networks, firewalls act as the first line of defense against unwanted and malicious traffics. Firewalls themselves can become targets of DoS attacks, thus jeopardizing their primary operation to filter traffic. Typically, packets are checked against a firewall policy consisting (in many cases) of thousands of rules. Last-matching rules are located at the bottom of the ruleset and consume the most CPU processing power of firewalls. If these rules get discovered by an attacker, the attacker can effectively launch a low-rate DoS attack that can bring the firewall to its knees. In prior work [1], we proposed and evaluated a technique to remotely discover the last matching rules of the Linux Netfilter firewall. In this paper, we examine the effectiveness of such technique on the discovery of last-matching rules in two other popular open-source network firewalls, namely Linux IPSets and FreeBSD ipfw.

AB - In today's networks, firewalls act as the first line of defense against unwanted and malicious traffics. Firewalls themselves can become targets of DoS attacks, thus jeopardizing their primary operation to filter traffic. Typically, packets are checked against a firewall policy consisting (in many cases) of thousands of rules. Last-matching rules are located at the bottom of the ruleset and consume the most CPU processing power of firewalls. If these rules get discovered by an attacker, the attacker can effectively launch a low-rate DoS attack that can bring the firewall to its knees. In prior work [1], we proposed and evaluated a technique to remotely discover the last matching rules of the Linux Netfilter firewall. In this paper, we examine the effectiveness of such technique on the discovery of last-matching rules in two other popular open-source network firewalls, namely Linux IPSets and FreeBSD ipfw.

KW - DoS attacks

KW - Firewalls

KW - Nework security

UR - https://www.scopus.com/pages/publications/70350627491

U2 - 10.1145/1626195.1626242

DO - 10.1145/1626195.1626242

M3 - Conference contribution

AN - SCOPUS:70350627491

SN - 9781605584126

T3 - SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks

SP - 186

EP - 192

BT - SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks

ER -

Salah K, Sattar K, Baig Z, Sqalli M, Calyam P. Resiliency of open-source firewalls against remote discovery of last-matching rules. In SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks. 2009. p. 186-192. 1626242. (SIN'09 - Proceedings of the 2nd International Conference on Security of Information and Networks). doi: 10.1145/1626195.1626242

Resiliency of open-source firewalls against remote discovery of last-matching rules

Abstract

Publication series

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this